Traffic monitoring and management systems attempt to recognize applications by analyzing the content of traffic flows. This is referred to as Deep Packet Inspection (DPI). However there are several problems with DPI. DPI cannot interpret the content of encrypted packets. Currently over 30% of Internet traffic is encrypted, and this is increasing. DPI further cannot identify the application until some traffic has flowed. Even in the best case this means that the first few packets cannot be associated with an application. Finally, there are many applications, often the ones of most interest (such as peer-to-peer protocols, which consume large amounts of bandwidth), that require tens of packets before they can be identified. Hence in practice it is not possible to rely on DPI to identify all traffic. The systems and methods disclosed herein provide an improved approach for recognizing applications in network traffic.